Lock down sendmail?
Boris
bbresc512-bJEeYj9oJeDQT0dZR+AlfA at public.gmane.org
Fri Jan 28 18:47:37 UTC 2005
my 5 cents here. You can use PAM, although it will keep the box busy
validating requests. So the firewall is still a better choice.
Look up the pam_listfile module. I think it does exactly what you're looking
for.
Boris.
----- Original Message -----
From: "Robert Brockway" <rbrockway-wgAaPJgzrDxH4x6Dk/4f9A at public.gmane.org>
To: <tlug-lxSQFCZeNF4 at public.gmane.org>
Sent: Friday, January 28, 2005 7:54 PM
Subject: Re: [TLUG]: Lock down sendmail?
> On Fri, 28 Jan 2005, William O'Higgins wrote:
>
>> what I want. Basically, this is what I'm hoping for:
>>
>> ACCEPT: local mail only
>> SEND: local mail only
>
> When I need to do this I use a firewall. It's a Linux box right?
> Configure iptables to REJECT any attempts to connect to tcp/25 in the
> OUTPUT chain on the box itself.
>
> This way no one fiddling with Sendmail in the future will accidentally
> turn on sending again. Random admins are far less likely to fiddle with a
> firewall (less know how, less think they know how, most realise the
> consequences).
>
> If you did want to do with with Sendmail you could try setting the
> smarthost (DS) as localhost. I've never tried that.
>
> I really recommend a firewall approach if viable.
>
>> Also, is there a simple way to have sshd drop requests from selected
>> IPs? This box has been up two days and it is already on some script
>> kiddie's hit list. Thanks.
>
> Sshd can be compiled with TCP Wrappers support which allows this
> functionality. Even better is to again block access through the firewall.
> Even better is to disable password access and only allow access through
> public key.
>
> Rob
>
> --
> Robert Brockway B.Sc.
> Senior Technical Consultant, OpenTrend Solutions Ltd.
> Phone: 416-669-3073 Email: rbrockway-wgAaPJgzrDxH4x6Dk/4f9A at public.gmane.org
> http://www.opentrend.net
> OpenTrend Solutions: Reliable, secure solutions to real world problems.
> Contributing Member of Software in the Public Interest
> (http://www.spi-inc.org)
> --
> The Toronto Linux Users Group. Meetings: http://tlug.ss.org
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list